If your firm manages less than $1.5 billion in assets, the SEC’s amended Regulation S-P takes effect for you on June 3, 2026. That is roughly eight weeks from today. Larger firms hit their deadline in December. Now it is your turn, and the requirements are substantial.
The amendments represent a meaningful expansion of what the SEC expects from registered investment advisers when it comes to protecting client data, responding to incidents, and managing the vendors you share that data with. Here is what you need to understand before the deadline arrives.
What Changed, and Why It Matters
Regulation S-P was originally adopted in 2000 and governs how covered financial institutions must safeguard the nonpublic personal information of natural persons. The world looked very different in 2000. Cloud platforms, third-party custodians, and SaaS-based portfolio management tools had not yet reshaped the typical RIA’s technology stack, and the threat environment was a fraction of what it is today.
The 2024 amendments represent a substantial expansion of the protections available to the customers of institutional securities market participants. The final rule establishes a new federal minimum standard for data breach notification, expands the definition of “customer information,” requires the adoption of policies and procedures for incident response and service provider oversight, and imposes new recordkeeping obligations.
In short: the SEC is holding smaller RIAs to a significantly higher standard than the original rule required. The four pillars of what the amendments demand are worth examining closely.
Requirement 1: A Written Incident Response Program
The SEC’s Regulation S-P amendments require covered entities to adopt an incident response program to detect, respond to, and recover from a breach of customer information. This program must exist in writing, and it must be operational, not aspirational. You cannot satisfy this requirement with a paragraph in your compliance manual or a reference to your IT provider’s general security practices.
Your incident response program needs to address what happens when something goes wrong: who is responsible for identifying a breach, how the investigation proceeds, who makes notification decisions, and how your firm recovers. If you do not have documented procedures that answer those questions today, you have a gap that needs to close before June 3.
Requirement 2: A 30-Day Client Notification Obligation
This is the most visible and consequential new requirement. Under the amended rule, RIAs must notify clients of any event that could endanger their personal data, unless the RIA has determined, after reasonable investigation, that sensitive client information has not been, and is not reasonably likely to be, used for substantial harm or inconvenience. Such notice must be sent as soon as practicable, and no later than 30 days after learning of the breach, to any affected or potentially affected clients.
Thirty days sounds manageable. In practice, it is not, especially if you do not already have documented procedures, pre-approved notification templates, and a clear escalation path in place. When an incident occurs, the investigation, decision-making, and client communication all need to happen within that window. Firms that have not rehearsed this process will find the timeline extremely tight.
Requirement 3: Vendor and Service Provider Oversight
This is where many smaller RIAs are most exposed, and where the rule’s reach may surprise you. “Customer information” now includes all client data in the RIA’s possession or handled by third parties on the RIA’s behalf, even if the data originated with another firm.
That means your custodian, your CRM provider, your portfolio management platform, and any other vendor touching client data falls within the scope of your compliance obligations. Firms must develop and maintain written policies and procedures reasonably designed to ensure that service providers supply written notification to the adviser of unauthorized access to customer information maintained by the service provider within 72 hours of becoming aware of such unauthorized access. This 72-hour notification window is critical, as it ensures that covered institutions have sufficient time to conduct investigations and meet their own 30-day customer notification obligations.
If your vendor agreements do not currently include these notification requirements, they need to be renegotiated or updated before your compliance date. This process takes time, and firms that have not started it are running behind.
Requirement 4: Recordkeeping
Advisers must maintain written policies and procedures addressing customer information safeguards, incident response, notification, service provider oversight, disposal, and recordkeeping. The SEC examinations that follow the June 3 deadline will focus on whether firms can demonstrate compliance, and documentation is how you do that. Good intentions and verbal assurances will not hold up under examination.
What Larger RIAs Are Already Telling You
The December 3, 2025 deadline for firms above $1.5 billion has already passed. That cohort is now living under these requirements, being examined against them, and learning what compliance looks like in practice. The SEC’s examination staff has signaled that Regulation S-P readiness will be a priority. SEC examinations will likely prioritize assessing advisers’ compliance readiness with the amended Regulation S-P framework.
Smaller RIAs should treat the December cohort’s experience as a preview. The examination questions being asked of larger firms today will be directed at your firm later this year. The firms that prepared early are in a far better position than those scrambling to backfill documentation after an exam request arrives.
Where to Start If You Are Behind
With eight weeks remaining, the work is urgent but still achievable if you prioritize correctly. The most critical steps are:
- First, conduct a gap analysis of your current cybersecurity and incident response policies against the four amended requirements. Identify what exists, what needs updating, and what needs to be created from scratch.
- Second, audit your vendor relationships. Inventory every service provider that touches client data and review your contracts for the 72-hour notification requirement. Identify any agreements that need amendment.
- Third, build or update your written incident response plan. This document needs to be specific, role-assigned, and tested, not a template pulled from a compliance library.
- Fourth, prepare client notification templates in advance. When a breach occurs, you do not want to be drafting client communications under time pressure. Have approved language ready to go.
- Finally, establish your recordkeeping infrastructure. The SEC will want to see documentation of your compliance program, not just a description of it.
The Risk of Waiting
The consequences for failing to comply may be enforcement action. Beyond the regulatory exposure, the reputational risk of a poorly handled breach is significant for any firm that manages client wealth. The trust your clients place in your firm extends beyond portfolio performance. It includes confidence that their personal and financial information is protected.
The amended Regulation S-P requirements are not unreasonable. They reflect what a well-run firm should already have in place. But turning that expectation into documented, operational compliance takes time and expertise that most smaller RIAs do not have on staff.
If your firm is still working through the requirements or has not yet started, reaching out to a cybersecurity partner experienced in financial services compliance is one of the fastest ways to close the gap before June 3.
TorchLight provides managed cybersecurity services for financial institutions, including incident response program development, vendor risk management, and compliance readiness support. Contact us to learn how we can help your firm meet the amended Regulation S-P requirements.